o CZcr@sddlZddlZddlZddlmZmZddlmZmZddlZddl m Z m Z m Z m Z ddlmZmZmZddlmZddlmZdd lmZdd lmZdd lmZmZmZdd lmZm Z m!Z!dd l"m#Z#ddl$m%Z%ej&Gdddej'Z(eddGdddZ)e)e(j*e(j*e)e(j+e(j+e)e(j,e(j,dZ-ej&Gdddej'Z.eddGdddZ/eddGdddZ0GdddZ1eddGdddZ2dS) N) dataclassfield)datetime timedelta)OptionalIterableUnionList)crlocspx509)timezone)pretty_message) type_name)OCSPFetchError)FetchersFetcherBackenddefault_fetcher_backend)default_permitted_subtrees PKIXSubtreesdefault_excluded_subtrees)ValidationPath)CertificateRegistryc@seZdZdZdZ dZ dZ dZ dZ dZ dZ e d e fd d Z e d e fd d Ze d e fddZe d e fddZe d e fddZe d e fddZdS)RevocationCheckingRulezg Rules determining in what circumstances revocation data has to be checked, and what kind. clrcheck ocspcheck bothcheck eitherchecknocheckifdeclaredcheckifdeclaredsoftcheckreturncCs|tjtjtjfvSN)rCHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfr)S/var/www/chikooza/env/lib/python3.10/site-packages/pyhanko_certvalidator/context.pystrictSs zRevocationCheckingRule.strictcC|tjtjfvSr#)rr%r&r'r)r)r*tolerant\zRevocationCheckingRule.tolerantcCr,r#)r CRL_REQUIREDCRL_AND_OCSP_REQUIREDr'r)r)r* crl_mandatorycr.z$RevocationCheckingRule.crl_mandatorycC|tjtjfvSr#)rr& OCSP_REQUIREDr'r)r)r* crl_relevantjr.z#RevocationCheckingRule.crl_relevantcCr,r#)rr3r0r'r)r)r*ocsp_mandatoryqr.z%RevocationCheckingRule.ocsp_mandatorycCr2r#)rr&r/r'r)r)r* ocsp_relevantxr.z$RevocationCheckingRule.ocsp_relevantN)__name__ __module__ __qualname____doc__r/r3r0CRL_OR_OCSP_REQUIREDr&r$r%propertyboolr+r-r1r4r5r6r)r)r)r*rs8  rT)frozenc@sJeZdZUdZeed< eed< edefddZe de fdd Z d S) RevocationCheckingPolicyzu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rulepolicycCs*zt|WStytd|dw)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsrBr)r)r* from_legacys   z$RevocationCheckingPolicy.from_legacyr"cCs|jjo|jj Sr#)r@r-r'r)r)r* essentialsz"RevocationCheckingPolicy.essentialN) r7r8r9r:r__annotations__ classmethodstrrHr<r=rIr)r)r)r*r?s r?) soft-failz hard-failrequirec@seZdZeZeZdS)FreshnessReqTypeN)r7r8r9enumautoMAX_DIFF_REVOCATION_VALIDATIONTIME_AFTER_SIGNATUREr)r)r)r*rOs rOc@sNeZdZUdZeed< dZeeed< e j Z e ed< dZ eeed<dS)CertRevTrustPolicyzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. revocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_time) r7r8r9r:r?rJrVrrrOrRrWrXr)r)r)r*rTs  rTc@sDeZdZUdZeedZeej e d< eedZ eej e d<dS)ACTargetDescriptiona_ Value type to guide attribute certificate targeting checks, for attribute certificates that use the target information extension. As stipulated in RFC 5755, an AC targeting check passes if the information in the relevant :class:`.AATargetDescription` matches at least one ``Target`` in the AC's target information extension. default_factoryvalidator_namesgroup_membershipsN) r7r8r9r:rlistr\r r GeneralNamerJr]r)r)r)r*rYs  rYc!@seZdZUdZdZdZdZdZdZdZ dZ dZ dZ dZ dZeed<dZdddddddddddeddddddfdeeejdeeejd eeejd eeeeefd eed ed eeeeejfdeeeeejfdedee deededede!dee"def ddZ#e$defddZ%e$ddZ&e$ddZ'e$d d!Z(e$d"d#Z)d$d%Z*d&e+fd'd(Z,d)d*Z-d+d,Z.d-d.Z/d/d0Z0d1d2Z1d3d4Z2d5d6Z3d7d8Z4d9d:Z5d;d<Z6e$de"fd=d>Z7dS)?ValidationContextNF _fetchersrMr)seconds trust_rootsextra_trust_roots other_certswhitelisted_certsmomentallow_fetchingcrlsocspsrevocation_moderevinfo_policyweak_hash_algostime_toleranceretroactive_revinfofetcher_backendacceptable_ac_targetsfetcherscCs| dur tt| } n| jdurtd| jdurtd| |_|durMg}|D]!}t|tj sEt|t s?t t dt |tj |}||q)|}|duryg}|D]!}t|tjsqt|t skt t dt |tj|}||qU|}| jj}|dur|rtt dn|s|dur|dur|rtt d|durttj}n |durtt dt|_|dur|D]"}t|t r|d }|d d d d }|jt |!d q| durt| |_"nhd |_"d}|r|dur||_#n|durt$}|%|_#}|j&}t'||||d|_(||_)i|_*i|_+i|_,g|_-|r,||_-g|_.|r@||_.|D]}|/|q7t0||_1g|_2| rOt3| nt4d|_5| |_6||_7dS)aH :param trust_roots: If the operating system's trust list should not be used, instead pass a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of byte strings containing DER or PEM-encoded X.509 certificates, or asn1crypto.x509.Certificate objects. :param other_certs: A list of byte strings containing DER or PEM-encoded X.509 certificates, or a list of asn1crypto.x509.Certificate objects. These other certs are usually provided by the service/item being validated. In TLS, these would be intermediate chain certs. :param whitelisted_certs: None or a list of byte strings or unicode strings of the SHA-1 fingerprint of one or more certificates. The fingerprint is a hex encoding of the SHA-1 byte string, optionally separated into pairs by spaces or colons. These whilelisted certificates will not be checked for validity dates. If one of the certificates is an end-entity certificate in a certificate path, any TLS hostname mismatches, key usage errors or extended key usage errors will also be ignored. :param moment: If certificate validation should be performed based on a date and time other than right now. A datetime.datetime object with a tzinfo value. If this parameter is specified, then the only way to check OCSP and CRL responses is to pass them via the crls and ocsps parameters. Can not be combined with allow_fetching=True. :param crls: None or a list/tuple of asn1crypto.crl.CertificateList objects of pre-fetched/cached CRLs to be utilized during validation of paths :param ocsps: None or a list/tuple of asn1crypto.ocsp.OCSPResponse objects of pre-fetched/cached OCSP responses to be utilized during validation of paths :param allow_fetching: A bool - if HTTP requests should be made to fetch CRLs and OCSP responses. If this is True and certificates contain the location of a CRL or OCSP responder, an HTTP request will be made to obtain information for revocation checking. :param revocation_mode: A unicode string of the revocation mode to use: "soft-fail" (the default), "hard-fail" or "require". In "soft-fail" mode, any sort of error in fetching or locating revocation information is ignored. In "hard-fail" mode, if a certificate has a known CRL or OCSP and it can not be checked, it is considered a revocation failure. In "require" mode, every certificate in the certificate path must have a CRL or OCSP. :param weak_hash_algos: A set of unicode strings of hash algorithms that should be considered weak. :param time_tolerance: Time delta tolerance allowed in validity checks. Defaults to one second. :param retroactive_revinfo: Treat revocation info as retroactively valid, i.e. ignore the ``this_update`` field in CRLs and OCSP responses. Defaults to ``False``. .. warning:: Be careful with this option, since it will cause incorrect behaviour for CAs that make use of certificate holds or other reversible revocation methods. Nz'Freshness has not been implemented yet.zFDealing with post-expiry revocation info has not been implemented yet.z crls must be a list of byte strings or asn1crypto.crl.CertificateList objects, not %s z ocsps must be a list of byte strings or asn1crypto.ocsp.OCSPResponse objects, not %s z_ allow_fetching must be False when moment is specified z revocation data is not optional and allow_fetching is False, however crls and ocsps are both None, meaning that no validation can happen z moment is a naive datetime object, meaning the tzinfo attribute is not set to a valid timezone ascii :>md2md5sha1) cert_fetcherr)8rTr?rHrVNotImplementedErrorrXrl isinstancer CertificateListbytes TypeErrorrrloadappendr OCSPResponserUrIrFrnowr utc utcoffsetset_whitelisted_certsdecodereplaceaddbinascii unhexlifyencodermrar get_fetchersrzrcertificate_registryrg _validate_map_crl_issuer_map_revocation_certs_crls_ocsps_extract_ocsp_certsr=_allow_fetching_soft_fail_exceptionsabsrrnro_acceptable_ac_targets)r(rcrdrerfrgrhrirjrkrlrmrnrorprqrrnew_crlscrl_ new_ocspsocsp_ rev_essentialwhitelisted_certrz ocsp_responser)r)r*__init__(sb                  zValidationContext.__init__r"cC|jSr#)rr'r)r)r*fetching_allowedz"ValidationContext.fetching_allowedcC|js|jSt|jjS)zM A list of all cached asn1crypto.crl.CertificateList objects )rrr^ra crl_fetcher fetched_crlsr'r)r)r*riszValidationContext.crlscCr)zK A list of all cached asn1crypto.ocsp.OCSPResponse objects )rrr^ra ocsp_fetcherfetched_responsesr'r)r)r*rj#szValidationContext.ocspscCst|jS)z A list of newly-fetched asn1crypto.x509.Certificate objects that were obtained from OCSP responses and CRLs )r^rvaluesr'r)r)r*new_revocation_certs.sz&ValidationContext.new_revocation_certscCr)zP A list of soft-fail exceptions that were ignored during checks )rr'r)r)r*soft_fail_exceptions7sz&ValidationContext.soft_fail_exceptionscCs |j|jvS)z Checks to see if a certificate has been whitelisted :param cert: An asn1crypto.x509.Certificate object :return: A bool - if the certificate is whitelisted )ryrr(certr)r)r*is_whitelisted?s z ValidationContext.is_whitelistedecCs|j|dSr#)rr)r(rr)r)r*_report_soft_failLsz#ValidationContext._report_soft_failcsN|js|jS|j}z |j|}W|Sty&|j|IdH}Y|Sw)z :param cert: An asn1crypto.x509.Certificate object :return: A list of asn1crypto.crl.CertificateList objects N)rrrarfetched_crls_for_certrEfetch)r(rrrrir)r)r*async_retrieve_crlsOs z%ValidationContext.async_retrieve_crlscCs(tdt|js |jSt||S)z .. deprecated:: 0.17.0 Use :meth:`async_retrieve_crls` instead. :param cert: An asn1crypto.x509.Certificate object :return: A list of asn1crypto.crl.CertificateList objects z@'retrieve_crls' is deprecated, use 'async_retrieve_crls' instead)warningswarnDeprecationWarningrrasynciorunrrr)r)r* retrieve_crlsas zValidationContext.retrieve_crlscsh|js|jS|j}|j|}|s2|j||IdH}z||Wn ty.tdw|g}|S)z :param cert: An asn1crypto.x509.Certificate object :param issuer: An asn1crypto.x509.Certificate object of cert's issuer :return: A list of asn1crypto.ocsp.OCSPResponse objects Nz9Failed to extract certificates from fetched OCSP response) rrrarfetched_responses_for_certrrrFr)r(rissuerrrrjrr)r)r*async_retrieve_ocspsus    z&ValidationContext.async_retrieve_ocspscCs*tdt|js |jSt|||S)aN .. deprecated:: 0.17.0 Use :meth:`async_retrieve_ocsps` instead. :param cert: An asn1crypto.x509.Certificate object :param issuer: An asn1crypto.x509.Certificate object of cert's issuer :return: A list of asn1crypto.ocsp.OCSPResponse objects zB'retrieve_ocsps' is deprecated, use 'async_retrieve_ocsps' instead)rrrrrrrr)r(rrr)r)r*retrieve_ocspssz ValidationContext.retrieve_ocspscCsp|dj}|dkr0|d}|djdkr2|dj}|dr4|dD]}|j|r/||j|j<q!dSdSdSdS) z Extracts any certificates included with an OCSP response and adds them to the certificate registry :param ocsp_response: An asn1crypto.ocsp.OCSPResponse object to look for certs inside of response_status successfulresponse_bytes response_typebasic_ocsp_responseresponsecertsN)nativeparsedradd_other_certr issuer_serial)r(rstatusrr other_certr)r)r*rs     z%ValidationContext._extract_ocsp_certscC||j|j<dS)a Records that a certificate has been validated, along with the path that was used for validation. This helps reduce duplicate work when validating a ceritifcate and related resources such as CRLs and OCSPs. :param cert: An ans1crypto.x509.Certificate object :param path: A pyhanko_certvalidator.path.ValidationPath object N)r signature)r(rpathr)r)r*record_validation z#ValidationContext.record_validationcCs6|j|r|j|jvrt||j|j<|j|jS)a] Checks to see if a certificate has been validated, and if so, returns the ValidationPath used to validate it. :param cert: An asn1crypto.x509.Certificate object :return: None if not validated, or a pyhanko_certvalidator.path.ValidationPath object of the validation path )ris_carrrgetrr)r)r*check_validationsz"ValidationContext.check_validationcCs|j|jvr |j|j=dSdS)z Clears the record that a certificate has been validated :param cert: An ans1crypto.x509.Certificate object N)rrrr)r)r*clear_validations z"ValidationContext.clear_validationcCr)aU Records the certificate that issued a certificate list. Used to reduce processing code when dealing with self-issued certificates and multiple CRLs. :param certificate_list: An ans1crypto.crl.CertificateList object :param cert: An ans1crypto.x509.Certificate object N)rr)r(certificate_listrr)r)r*record_crl_issuerrz#ValidationContext.record_crl_issuercCs|j|jS)a3 Checks to see if the certificate that signed a certificate list has been found :param certificate_list: An ans1crypto.crl.CertificateList object :return: None if not found, or an asn1crypto.x509.Certificate object of the issuer )rrr)r(rr)r)r*check_crl_issuers z"ValidationContext.check_crl_issuercCrr#)rr'r)r)r*rq rz'ValidationContext.acceptable_ac_targets)8r7r8r9rrmrrrrrrrrrgrarrJrrrrr Certificaterr~rLrr=r r}r rrTrrYrr<rrirjrrr Exceptionrrrrrrrrrrrrqr)r)r)r*r`s           n       r`c@sreZdZUedgZeed< dZeed< dZeed< dZ eed< e e dZ e ed< e edZe ed <d S) PKIXValidationParams any_policyuser_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitrZinitial_permitted_subtreesinitial_excluded_subtreesN)r7r8r9 frozensetrrJrr=rrrrrrrrr)r)r)r*rs      r)3rrPr dataclassesrrrrrtypingrrrr asn1cryptor r r asn1crypto.utilr _errorsr_typesrerrorsrrrrrr name_treesrrrrrregistryruniqueEnumrr?r%r$r;rDrOrTrYr`rr)r)r)r*s\      i $